authority: increase secret seed size to 64 bytes

edgelesssys · Aug 12, 2024 · f695e97 · f695e97
1 parent e7cb052
commit f695e97
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 6 deletions.
diff --git a/coordinator/internal/authority/userapi.go b/coordinator/internal/authority/userapi.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/edgelesssys/contrast/coordinator/history"
 	"github.com/edgelesssys/contrast/internal/ca"
+	"github.com/edgelesssys/contrast/internal/constants"
 	"github.com/edgelesssys/contrast/internal/crypto"
 	"github.com/edgelesssys/contrast/internal/manifest"
 	"github.com/edgelesssys/contrast/internal/userapi"
@@ -50,11 +51,14 @@ func (a *Authority) SetManifest(ctx context.Context, req *userapi.SetManifestReq
 		}
 	} else if a.se.Load() == nil {
 		// First SetManifest call, initialize seed engine.
-		seedSalt, err := crypto.GenerateRandomBytes(64)
+		seed, err := crypto.GenerateRandomBytes(constants.SecretSeedSize)
 		if err != nil {
-			return nil, status.Errorf(codes.Internal, "generating random bytes: %v", err)
+			return nil, status.Errorf(codes.Internal, "generating random bytes for seed: %v", err)
+		}
+		salt, err := crypto.GenerateRandomBytes(constants.SecretSeedSaltSize)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "generating random bytes for seed salt: %v", err)
 		}
-		seed, salt := seedSalt[:32], seedSalt[32:]
 
 		seedShares, err := manifest.EncryptSeedShares(seed, m.SeedshareOwnerPubKeys)
 		if err != nil {

diff --git a/e2e/workloadsecret/workloadsecret_test.go b/e2e/workloadsecret/workloadsecret_test.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/edgelesssys/contrast/e2e/internal/contrasttest"
 	"github.com/edgelesssys/contrast/e2e/internal/kubeclient"
+	"github.com/edgelesssys/contrast/internal/constants"
 	"github.com/edgelesssys/contrast/internal/kuberesource"
 	"github.com/edgelesssys/contrast/internal/manifest"
 	"github.com/edgelesssys/contrast/internal/platforms"
@@ -98,7 +99,7 @@ func TestWorkloadSecrets(t *testing.T) {
 		require.NotEmpty(stdout)
 		webWorkloadSecretBytes, err = hex.DecodeString(stdout)
 		require.NoError(err)
-		require.Len(webWorkloadSecretBytes, 32)
+		require.Len(webWorkloadSecretBytes, constants.SecretSeedSize)
 	})
 
 	t.Run("workload secret seed is the same between pods in the same deployment", func(t *testing.T) {
@@ -112,7 +113,7 @@ func TestWorkloadSecrets(t *testing.T) {
 		require.NotEmpty(stdout)
 		otherWebWorkloadSecretBytes, err := hex.DecodeString(stdout)
 		require.NoError(err)
-		require.Len(otherWebWorkloadSecretBytes, 32)
+		require.Len(otherWebWorkloadSecretBytes, constants.SecretSeedSize)
 		require.Equal(webWorkloadSecretBytes, otherWebWorkloadSecretBytes)
 	})
 
@@ -132,7 +133,7 @@ func TestWorkloadSecrets(t *testing.T) {
 		require.NotEmpty(stdout)
 		emojiWorkloadSecretBytes, err = hex.DecodeString(stdout)
 		require.NoError(err)
-		require.Len(emojiWorkloadSecretBytes, 32)
+		require.Len(emojiWorkloadSecretBytes, constants.SecretSeedSize)
 		require.NotEqual(webWorkloadSecretBytes, emojiWorkloadSecretBytes)
 	})
 }

diff --git a/internal/constants/constants.go b/internal/constants/constants.go
@@ -8,3 +8,10 @@ var (
 	Version          = "0.0.0-dev"
 	GenpolicyVersion = "0.0.0-dev"
 )
+
+const (
+	// SecretSeedSize is the size of the secret seed generated in the coordinator.
+	SecretSeedSize = 64
+	// SecretSeedSaltSize is the size of the secret seed salt generated in the coordinator.
+	SecretSeedSaltSize = 32
+)